by Jay Marshall Wolman, CIPP/US
This past June, the Connecticut General Assembly enacted Public Law No. 15-142, ostensibly to improve data security in the state. It follows on the heals of the Anthem Data Breach earlier this year. The first major provision governs state contractors in receipt of confidential information received from the state. The second major provision, addressed to Anthem and other health insurers, creates specific obligations to secure data under a regulatory scheme. The third major provision addresses all other businesses.
Previously, reasonable notice of a data breach (release of certain unencrypted personal information) was required to be given. A specific 90 day notice is now required. More important is the remedy provision–in the event of a data breach, businesses (including health insurers), must implement identity theft prevention and/or mitigation services. This also includes incidents where there is no actual proof of a data breach, only reasonable suspicion. Normally, regulatory burdens such as these impose greater costs on the marketplace. This may not be the case here.
Following Clapper v. Amnesty International, USA, most federal courts addressing standing (i.e. whether you can claim a right to sue) have found that the increased risk of injury from identity theft does not suffice to have been sufficiently injured to confer standing. Novel theories to avoid this claim have included the costs of identity theft protection services incurred by breach victims. This theory has been rejected at the trial court level. See, e.g. In Re: Barnes & Noble Pin Pad Litigation.
Many companies experiencing a data breach automatically, for public relations reasons, offer identity theft protection services. Thus, the formal obligation under law would not likely add significant cost. And, assuming cases like the Barnes & Noble one were reversed on appeal, the claimants would no longer suffer the costs of such services, since the companies are now required (at least in Connecticut) to provide those identity theft services. The practical effect will be that more consumer data theft class actions will likely be won on the defense of lack of subject matter jurisdiction (how a defense of lack of standing is brought). With dismissal, there would be no settlement and no claim for millions of dollars in attorneys’ fees. As a result, companies experiencing a breach (and their cyber insurers) would potentially save millions by doing what they already do, merely because the services are now required.
Of course, if increased regulation with a de jure cost burden has a de facto cost savings due to costs imposed by the court system, it may be time to take a closer look there as well.